Hurdles ahead for encryption commission

McCAUL COURTS ENCRYPTION COMMISSION ALLIES— House Homeland Security Committee Chairman Mike McCaul was in San Francisco on Thursday pitching his encryption commission proposal. He says he’s happy with the initial feedback, but there are hurdles ahead. At least one of the House panels responsible for advancing the bill doesn’t intend to mark it up.

Story Continued Below

McCaul spent much of the day talking to tech industry executives at the RSA Conference, then gave a speech urging industry cooperation in tackling the “going dark” problem of bad guys using scrambled communications. He said the choices are to do nothing (not acceptable to him); pass legislation to create a “backdoor” (not acceptable to him or tech companies); or embrace his commission legislation. He has more meetings today — including with Apple, Google and Facebook. The Texas Republican said he’s received “strong backing” from the tech community so far, after having been stymied before the San Bernardino, Calif., terrorist attack. “I tried to sit down with them a year ago, and federal law enforcement,” he told reporters after the speech. “There wasn’t any willingness to sit down.”

But the bill’s fate depends on others, too. The legislation was sent to Judiciary, Energy and Commerce, and Foreign Affairs for consideration. McCaul said those chairmen have told him they are interested. “The more widespread support there is, the easier it’s going to be,” he added. But MC is told by a committee aide that House Judiciary doesn’t intend to mark up the bill. The Senate outlook is more favorable: The companion bill sponsored by Sen. Mark Warner (D-Va.) was referred to the Homeland Security panel chaired by Sen. Ron Johnson (R-Wis.), a vocal bill backer.

— THE ENCRYPTION FIGHT OF THE FUTURE: The race is on to create a quantum computer that would have more code-breaking juice than anything that exists now. "I think the country that develops quantum computing will be analogous to the atomic bomb in this space,” McCaul said in his speech. “I think it’s important that we invest in the research of quantum computing, which we are doing.” Of course, the U.S. isn’t alone: Countries such as Russia and China are also pursuing the embryonic technology. "I think it’s important we stay ahead of that curve,” McCaul said. “It’s something that will be very powerful in the future."

— THE OTHER KIND OF SHARING: One RSA trend this year involves companies talking about sharing threat information publicly — or even with competitors. “Maybe we need to democratize the data and compete on the cure,” Caleb Barlow, a vice president at IBM Security, told MC. That notion came up earlier this week during a keynote speech by Chris Young, general manager at Intel Security, and it’s something others are buzzing about, too. IBM Security already has embraced the idea. “If you know how someone is being attacked, and you have actionable information about the compromise, share it,” Barlow said. “If you share it, and everybody shares the information, everybody gets inoculated.”

— OVERHEARD AT PANELS: Phyllis Schneck, the Homeland Security Department’s deputy undersecretary for cybersecurity and communications, on needing to research the DNA of malware: “To truly cause pain to this adversary, we have to cut the business model and make sure they stop reusing and just tweaking malware to get back at us.”

— OVERHEARD AT PANELS II: U.S. Attorney David Hickton, on the 2014 indictment of five Chinese PLA officials: “I intend to bring these individuals to justice. This was not just for show, or name and shame.” David Bitkower, principal deputy assistant attorney general in the Justice Department’s criminal division, on what RSA attendees must be thinking about a law-enforcement panel, given the ongoing encryption fight: “Why are all you law-enforcement people out here at RSA? Shouldn’t you be running around undermining cybersecurity?”

HAPPY FRIDAY and welcome to Morning Cybersecurity! Seriously, can we not give robots the ability to shapeshift or camouflage themselves? Skynet, Skynet, Skynet. Send thoughts, feedback and especially your tips to tstarks@politico.com and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

A LITTLE HELP FROM FRIENDS — Thursday drew a flood of support for Apple in its fight against a federal court order directing it to help the FBI unlock an iPhone used by one of the San Bernardino terrorists. A key theme in the nearly two dozen briefs: pushback against the government’s claim of authority to compel Apple to produce a new operating system for the locked device carried by Syed Farook.

The All Writs Act, the statute cited by prosecutors, gives courts the power to require parties to deliver existing information, but not to “invent a new product,” says a brief from BSA, the Information Technology Industry Council and TechNet. Compelling Apple to write code is a violation of the First Amendment, wrote the Electronic Frontier Foundation. The federal court order is “akin to the government dictating a letter endorsing its preferred position and forcing Apple to transcribe it and sign its unique and forgery-proof name at the bottom,” EFF wrote. The order “endangers public safety,” said a brief signed by cybersecurity experts including Jonathan Zdziarski, a forensic scientist, and cryptologist Bruce Schneier. “Apple will likely lose control of the code, due either to legal compulsion or theft,” they warned.

As of Thursday evening, there appeared to be only three briefs backing the Justice Department, all from law-enforcement groups. “If Apple can refuse lawful court orders to reasonably assist law enforcement, public safety will suffer,” wrote the Federal Law Enforcement Officers Association, the Association of Prosecuting Attorneys and the National Sheriffs’ Association. The San Bernardino County district attorney also weighed in, arguing that the people of California “have a compelling governmental interest in acquiring any evidence of criminal conduct, additional perpetrators, potential damage to the infrastructure of San Bernardino County” that might reside on Farook’s device. A group of California police associations also filed a brief.

NEW DATA SECURITY PLAYER — The Consumer Financial Protection Bureau on Wednesday ordered the online payment system Dwolla to pay a $100,000 civil penalty and improve its customer data security. This marks the first time the agency has fined a company for its data security practices, according to a news release. The FTC and the SEC also recently asserted their authority in this area. Dwolla falsely claimed that its security practices exceeded industry standards and that sensitive consumer information was always encrypted, the bureau said. In addition to the fine, the firm must upgrade its internal security, Web and mobile interfaces and employee training.

ENCORE, ENCORE— The Defense Information Systems Agency released its final request for proposal Wednesday for the ENCORE III master contract, which could run up to $17.5 billion and includes provisions for cybersecurity, networks support and cloud computing. The contract’s cybersecurity focus has expanded since ENCORE II in 2008. The contract will be awarded to multiple vendors.

FORBES RAISES ZOOMLION CONCERNS— Rep. Randy Forbes (R-Va.) sounded the alarm Thursday about a Chinese company’s attempt to buy the U.S. heavy equipment manufacturer Terex, which sells cranes and other equipment for military, aerospace and utility projects. The Chinese firm Zoomlion, supplies materials to China’s People’s Liberation Army and is partly owned by the Hunan provincial government, Forbes said in a letter to Treasury Secretary Jack Lew. “I have serious concerns over allowing a company that is under the influence of the Chinese government to have access to sensitive areas of our nation’s infrastructure,” wrote Forbes, who chairs a House Armed Services subcommittee. Rep. Duncan Hunter (R-Calif.) and others previously raised concerns about the deal. A 2014 Senate Armed Services Committee investigation revealed that numerous U.S. Transportation Command contractors had been breached by PLA-linked hackers.

ON THE MOVE

— Luke Dembosky, the highest-ranking cyber-focused official at Justice, is joining the law firm Debevoise & Plimpton.

QUICK BYTES

— Hillary Clinton’s email server logs show no breach occurred, according to records her former aide, who got immunity, turned over to the FBI.POLITICO.

— The WSJ talks to experts who suggest chip hacking to get into the San Bernardino terrorist’s iPhone.

— And Rep. David Jolly (R-Fla.) wants to bar federal agencies from buying Apple products until the tech firm helps the FBI crack into that iPhone.

— Amazon has removed encryption support from some devices, Motherboard reports.

— An IRS identity protection system designed to help fraud victims got hacked. The Washington Post.

— The search warrant that the FBI used to hack a child pornography website was unconstitutional, according to the Electronic Frontier Foundationand 46 technology experts.

— The devil may be in the details for the successor to the U.S.-EU Safe Harbor data privacy agreement, Roger Williams University law professor Peter Margulies finds in a Lawfare post.

— Less than one-third of cyberattacks against British firms are reported to law enforcement, a Barclays-backed report finds. The Register.

— Researchers at Bluebox Security have found a security flaw in … wait for it … the official RSA conference app.

— The Finnish cyber firm F-Secure’s CEO wants to expand in the European market, Reuters reports.

— More than a third of the largest federal government contractors have a higher-than-average risk of being hacked by cyber criminals. Winvale study.

BE THE SMARTEST PERSON IN THE ROOM: The policy world is full of smart people. At POLITICO Pro, POLITICO’s comprehensive solution for policy professionals, we have one goal: To help policy professionals like yourself be the smartest people in the room. Pro’s policy-specific, granular reporting, actionable insights and data analytic tools empower you to be just that. Ready to learn more about Pro? Request a free trial today.

** A message from the Auto Alliance: Cybersecurity is a top priority of automakers. Today’s vehicles are benefiting from a wave of technology innovation, making vehicle cybersecurity a critical focus for the future of the connected vehicle. Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and the testing never stops. Automakers have joined together to form a global information sharing community — the Automotive Information Sharing and Analysis Center (Auto-ISAC)— to enhance cybersecurity awareness and collaboration across the global automotive industry, share ideas and solutions, and participate in forums to address emerging issues. Learn more here: http://bit.ly/2uOslA4 **

Authors:

About The Author

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.